Part 1: Getting Netscaler system data to Splunk

a) Configuring Splunk to listen on a UDP port for syslog data

b) Configuring Citrix NetScaler to send system/console data to Splunk

Part 2: Setting up your Splunk alert

Let’s Go…

a) Configuring Splunk to listen on a UDP port for syslog data

Configure a UDP data input, if you haven’t already. You may use the standard 514 with the standard index, but I like to create one explicitly for the Netscaler devices. This allows me to dump it to a specific index, override the source name, and set the source type.

Let’s say you wanted to configure 515/udp for this. From the Splunk Manager -> Data Inputs -> UDP -> Create a new listener, port 515. Set your source name override here (I use netscaler), Set sourcetype manual, Source_type ns_log.. this overrides the default udp:515 as the source. I also select ww-netscaler index here (world wide netscaler).

There you have it, with the below steps, you should have working system/console logs from the Netscaler.

Splunk – Data Inputs

Splunk – Data Inputs – UDP (for Netscaler)

b) Configuring Citrix NetScaler to send system/console data to Splunk

Configure Audit Server and Audit Policy

You can do this by clicking System -> Auditing -> Policies -> Servers tab.

Right click and Add new Server. Enter your Splunk IP and port you set up as a listener earlier.

Personally, I log everything except DEBUG. It’s up to you to figure out the differences and choose. Everything except debug will catch incorrect login attempts, which is currently the scope of this document.

Under System -> Auditing -> Policies -> clickon the Policies tab; Right click, Add.
Enter the policy name, Auditing Type: SYSLOG, Server: <Select the server you set up in step 2>.

You’re done. Check Splunk for your data to ensure it’s being sent.

Netscaler – Configure Audit Server

Netscaler – Bind Audit Policy to Audit Server

Part 2: Setting up your Splunk alert

Create your real time alert like below. The Search query is the most important part here. You need to ensure your eventtype matches. <… CHECK MY PROPS AND TRANSFORMS, I FORGET IF I DID ANY INTERESTING EXTRACTIONS …>

Splunk – Netscaler Failed Login Attempt Alert

There you go. In the next feature, I will be showing you how to set up and ‘listen to’ AppFlow.